I’m currently preparing for the WatchGuard Firebox certification and wanted to ask for some advice from those who have already passed.

What study resources did you find most helpful? Did you focus more on hands-on practice with Firebox configuration, policies, VPN setup, and certificates, or mostly on theory?

I’ve been practicing labs and reviewing different study materials. I also checked some practice questions from Passexam4sure to test my understanding and identify weak areas.

Any tips on important topics, common mistakes, or exam pattern insights would be really appreciated.

Thanks in advance 🙂

Long story short, I have an group scanning the external side of my firebox for security auditing from our corporate organization. This post is in regard to the default webserver page enabled with the SSL VPN.

I'm getting negative marks for:
"This server supports TLS 1.1."

And for using these ciphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS

I do have an active support case regarding this but desire to learn more about how this works.

I'm told by Watchguard: TLS functionality and ciphers used seem to be set via the CA
I'm told by the person who issues our certificates: This functionality should be modified at the web server

How should this be resolved. I do not know how certificates work as I've only recently been brought into a role where that knowledge is relevant. I'm also finding that the whole IT Security topic is so vast that I may never comprehend everything.

The cert is valid and was generated by digicert with a CSR from OpenSSL as recomended by watchguard with commands specific to our organization (Per the person who generated the certificate).

Posting this now and hope to revisit sometime tomorrow or over the weekend but will be traveling. I'd love nothing more than to have some truly educational responses when I get back to it though.

On my test machine to trial the 12.11 client (including SMAL auth, which works great), I get a certificate mismatch warning on the first run. If I install the certificate but cancel the connection. On the next run I get a different warning that the certificate name does not match the name of the site.

I don't recall having to have made any changes with the firebox certs previously so I'm a little unsure of the next steps.
This official WG video runs through the steps to add a cert with a valid SAN names. https://youtube.com/watch?v=tDoC9_O2mUw

1. If I do this will this disconnect existing VPN sessions?
2. If I do this will it affect the VPN clients still running 12.10?

I'm happy enough to distribute the updated certificate when I roll out the upgrade to 12.11. I'll package it up into an intunewin and deploy via InTune. I already include an OpenVPN & a Watchguard cert this way.

I'm just a bit worried if modifying the CA cert will affect anyone using the older VPN client.

Additionally we have a couple of users using the IKEv2 method, will this be affected if the cert if updated?

Windows PowerShell with POSH-SSH module for login and grabbing session stream. I am using following command

import certificate proxy-server from ftp://@172.30.1.174/ex2016_owa.pfx SuperPassWord

Auto-Fill password and name. After import ist complete the Default certificate ist overwritten. I am currently not able to add additional proxy certs via cli.

Other attempt with web-gui generated a generic name: (server-1) I tried to re-import via gui and new display name is "test-mf". I used cli to list certificates. "test-mf" was not found, but server-1. Seems like the original cert name was kept.

For automisation we want to use CLI. Currently default cert replacement works, because we use a wildcard cert.

Why is the name ignored when we use cli command to import? Bug? Hidden parameters available?

In general import via cli works fine. But we can't really control cert name, neither overwrite of existing default certificate.

Furthermor, display name != name

It is possible to import certs automatically without usning web-gui/ api. Just with a simple CLI command, that uses all needed parameter: Name, Display Name, Overwrite....

Currently cert-data, password and purpose seems to be accepted.

greetz Maik

I've currently got a certificate issue on the WG that I'd like some advice on. We have a M390 with an SSLVPN portal set up where users can go and login and download the VPN client.

A few weeks ago it appears something happened to the certificate and now the site is coming up with 403 Forbidden when accessed.
The current wildcard certificate that we use for our other sites is valid and expires in August 2025. I tried to import the current cert again using WSM and WebUI but it is coming up as Revoked. I thought it may have been an old expired cert or a copy that was revoked (which doesn't make sense since all our other sites are still working fine) but nonetheless duplicated the current wildcard cert from our 3rd party cert provider portal and tried importing yet still came up as revoked.

I downloaded the CRL and the serial number for our cert is on the list and the date of revocation is August 2024 which was also puzzling, since the site definitely hasn't been down for that long.

I haven't tried generating a fresh CSR and going through that process yet, I thought importing a valid duplicate of the wildcard would be enough but apparently not.

If anyone could provide some suggestions on how to proceed from here, that would be great. Our current wildcard is definitely valid, but I can't explain how it is on the CRL. I have a fairly basic knowledge of certificates so currently stuck on how to proceed from here.

Next step - CSR request from the WSM/WebUI maybe?

Thank you

We installed a new T45. We have TSS and HTTPS TLS deciphering turned on. Its in a small office with no domain. We have one machine, a current Win11 Home Surface, that will not use the certificate. We import it and we get a message that it was successfully imported. But the browser still prompts and checking the certificate manager, it doesnt show up at all. The other machines in the office import and are working fine. For now, I had to turn off the feature because of this one user.

I'm hoping someone has seen this and has an idea. TIA!

2024-09-27T10:36:23.588 OVPN:>LOG:1727447783,N,VERIFY ERROR: depth=0, error=unable to get local issuer certificate: O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server, serial=1711096694

2024-09-27T10:36:23.588 OVPN:>LOG:1727447783,N,OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

This is Windows 11 box and all Windows 10 machine don't have issues connecting.
I have tried removing all Watchguard and Fireware certicates and
loading from http://:4126/certportal

certificate loads fine and says status is OK, no error viewing the certificate.
It is loaded into Trusted Root Certificate Authorities

but after it loaded and connection keep failing.

recently migrated from M270 box to M-T85, this is Win 11 stop connecting to new cert of the M-T85

Any suggestions?

i'm not able to choose my imported wildcard certificate for the Firebox Web Server ( Access Portal).
I've imported the .pfx file and three freshly imported certificates were shown in the certificate list ( System Manager). CA-CA2-mywildcard. The type of the CA certificates are recognized as 'CA Cert', my wildcard certificate is recognized as 'Web Server' ( also one of the default certificates ( cn=ike2muvpn Server) is listed as 'Web Server'. For other purposes i've another certificate imported on that firebox, cn=myExternalIP and type = 'IPSec / Web'. I'm able to select both of them as 3rd party certificate (Policy Manager), why isn't my wildcard certificate shown?

Firebox M570 Version 12.5.3
System Manager v12.6.3
Policy Manager v12.6.3

Thanks and stay healthy folks

We uses a number of inbound proxies to manage traffic into webservers, and all has been good using a wildcard cert. for years, over upgrades and cert replacements.

Last weekend, the CA decided to revoke our certificate due to the way they validated the domain no longer being deemed secure.

I got a new cert issued, using IIS to create the CSR and then exported a PFX, as I have done numerous times before. I imported along with the intermediate and all seemed to be OK. That is until some apps that connect in to our servers began to fail, one specifically with a cert error.

Performing an SSL check (Qualys) showed that the cert chain is incomplete and the intermediate cert is not being presented by the Watchguard proxy.

I have tested using HTTP filters, and IIS passes the SSL test (ie presents the intermediate). Similarly, my Netscaler is fine as you build the links manually. The apps work again using a filter, so the chain issue must be causing the problem.

I have tried importing the inter and leaf certs in every way I can think of but with the same result.

I have never had this issue before, and intend to upgrade the version to latest (12.104 U2 at time of writing), but this has to be out of hours.

Does anyone have any experience or ideas?

Thanks!

I would like to fix the alert about the certificate of my SSL web page as you see in the screenshot:

How should i proceed?

When i've uploaded my public certificate (pfx) in watchguard Web UI i can see many certificates, wich one i have to set as default one?

Right now i've got this as default:

If I change certificate do we experience disruptions?

Thank you in advance.

M470 12.9.4

I just finished updating my third party security certs used for the the access portal, web, and SSL VPN. After I choose the new cert in Policy Manager and save it to the Firebox I receive the following error, which I have never seen before every time I've done this.

"Proxy action - HTTPS-Server.3 is using and invalid Proxy Server certificate. Please select a valid certificate before saving the configuration to the box."

Looking at this particular proxy action I see no way to change the certificate it's using.

Never had this issue before updating the certs on any firebox before.

Thoughts?

Thanks!

• Doug

Thanks...

When our secuirty software, Heimdal security, tries to access their proxy system, i am getting this error:

pxy server requested client certificate - not supported

The browser certificate warning, i am getting is on *.heimdalsecurity.com which works fine during normal browsing, but when the software does some kind of inspection on dns/tls connections, we sometimes get this error presented.

Testing heimdalsecurity.com with fairssl shows:
rDNS (192.124.249.38): cloudproxy10038.sucuri.net.

So i added cloudproxy10038.sucuri.net to a https filter and now it works as expected as the wg proxy is not involved. I guess the server software demands the heimdal client to present a certificate which is not a supported feature by wg proxy or?

Regards
Robert

We're getting this message using our WiFi on our iPhones and trying to access Outlook.

Cannot Verify Server Identity
The identity of "m.hotmail.com" cannot be verified

Details:

Certificate
Outlook.com
Issued by Fireware HTTPS (SN 80130...

Not Trusted
Expires 4/26/24, 7:59:59 PM

We're using the correct passwords and MFA, how do we update a certificate on an iPhone?

1. If we use a wildcard cert of *.domain.com, will the scan still come back as failing because its hitting the IP address not the domain?
2. Will this break anything? They do not use any VPN but I do believe there is a tunnel from their firewall to another vendor's firewall (they have offsite servers at a datacenter managed by another company).

Thank you in advance.

certd Certificate (subject=c=HK,o=Hongkong Post,cn=Hongkong Post Root CA 1) is expired. msg_id="4001-0004"

Looking at the certs I see;

Certificate Details
Subject name c=HK o=Hongkong Post cn=Hongkong Post Root CA 1
Subject alt name
Imported/Created Tue May 09 2023 16:06:11 GMT+0100 (British Summer Time)
Issuer c=HK o=Hongkong Post cn=Hongkong Post Root CA 1
Valid from May 15 05:13:00 2003 GMT
Valid to May 15 04:52:00 2023 GMT
Algorithm RSA
Key length 2048
Key usage Signature
Extended key usage CA Cert
Fingerprint D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58

So the message is accurate - cert has expired.

I have "Update Trusted CA for Proxies" on automatic and have pressed the button to
"Download the latest versions of the Trusted CA certificates ".

Anyone know where the certs are being pulled from? A Watchguard managed source?

T55 running 12.9.3.B679093.

We have M370 firebox and have recently moved from SSLVPN to IKEv2. However, we have one home user who we just can't get working on IKEv2 and have thus needed to leave SSLVPN active for this one user.

Our parent organisation run weekly Nessus Scans and these report:

Medium Vulnerability Name : "SSL Self-Signed Certificate" and  "SSL Certificate Cannot Be Trusted"

What steps do I need to take to prevent these vulnerabilities being picked up by the Nessus scan while we continue to provide SSLVPN access to this one user?

Many thanks,
Graham

I want to be able to sign digitally through the browser with a certificate from the FNMT, but when I change the action to inspect in the domain name rules, the certificate does not work.
It is as if the personal certificate was not installed on the computer.

This is the test website:
https://www.sede.fnmt.gob.es/certificados/persona-fisica/verificar-estado/solicitar-verificacion

Adjunto imagen
https://us.v-cdn.net/6029905/uploads/editor/wt/i2xmr2kzjtls.png

we have been using https deep packet inspection for years now.

Recently, we have been getting more and more feedback that websites cause certificate warnings, but only from the company network. The reason is always a missing intermediate certificate on the Watchguard's certificate store. If I add these manually, everything is ok again.
Now I have updated to the latest firmware, but unfortunately the manually added certificates are lost!?
Has anyone had similar experiences at the moment?

Thanks in advance,

Joerg

I set the certificate to the external domain (ext-domain.com) so my external users don't get certificate warnings. My internal users, when authenticating, connect to https://wg.int-domain.com:4100 but get a certificate error because the domain doesn't match the external certificate.

I've raised this with WG and they created a bug/feature request for it but like other things I've reported it'll just sit there sending me reminder emails for the next millennia.

I also have a Pulse SSL VPN and I can configure different certificates on internal ports to External ports. Would this be a useful feature for anyone else or does anybody know a way around it?

Thanks

Thanks

I have previously logged a call when trying to add ECC certificates for our own Content Inspection, but have had to revert back to RSA due to issues connecting to websites.

is there a way that i can allow my users to browse to this address

thanks
Tess

2022-06-12 09:16:26 pxy Peer certificate preverify failed (err 20 : unable to get local issuer certificate) for [/C=KR/ST=Kyong-gi/O=Samsung Electronics/OU=Samsung Hubsite/CN=.samsungcloudsolution.net] (cert 0x1056f680, store 0x10a394b8)
2022-06-12 09:16:26 pxy Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/C=KR/ST=Kyong-gi/O=Samsung Electronics/OU=Samsung Hubsite/CN=.samsungcloudsolution.net] (cert 0x1056f680, store 0x10a394b8)

Q1: Is the use of the wildcard "*" even valid nomenclature

...and, more importantly...

Q2: Is there a way of fixing this so that the certificate look-up is resolved?

If the fix involves me downloading and installing a certificate (or three) to the Firebox, you'll have to give me the details like where to find the valid certificate(s). It has been centuries since I have had to do any of this type of network stuff.

Same error, file already exists when importing into the FB.

Do I need to delete the current third party cert before I can upload the new one?
That doesn't seem right.
I assumed I could import the new cert and go into Policy Manager > Setup > Certificates > Web Server and choose the new cert from the drop down menu and make it the active FB web cert.

The CSR was originally generated from the FB so no worry about importing the certificate chain in the correct order.

I'm missing something.

Thanks,

• Doug